Revert "Add option for insecure tls backend"

simplificator · Oct 21, 2024 · 1f5fa1e · 1f5fa1e
1 parent 7a0ae28
commit 1f5fa1e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 30 deletions.
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ N/A
 If you only want to install Caddy, you don't need to set any variables. If you want to configure Caddy as a reverse proxy as well, you can provide an array of objects named `caddy_sites` with the following values:
 
 * `additional_forwarding_ports`: Allows to define a list with additional ports where Caddy should listen for this domain and forward to HTTPS.
-* `allowlist`: An array if IP addresses in CIDR-notation which are allowed to access this route (Optional). All other visitors receive a 404 error.
+* `allowlist`: An array if IP addresses in CIDR-notation which are allowed to access this site (Optional). All other visitors receive a 404 error.
 * `certificate_file`: You can set this variable if you want to provide the certificate by yourself (Optional). The certificate needs permissions `0640`, with root as Owner and Caddy as Group.
 * `certificate_key`: You can set this variable if you want to provide the certificate by yourself (Optional).
 * `domain`: The domain caddy should listen to.
@@ -67,15 +67,14 @@ With reverse proxy configuration and redirects:
   vars:
     caddy_sites:
       - domain: example.com
-        tls_insecure: true
         routes:
           - path: ''
             reverse_proxy_destination: 192.168.50.2
-            allowlist:
-              - 8.8.8.8/32
         redirects:
           - source: ''
             target: '/'
+        allowlist:
+          - 8.8.8.8/32
         additional_forwarding_ports:
           - '8080'
           - '1337'

diff --git a/molecule/reverse-proxy/converge.yml b/molecule/reverse-proxy/converge.yml
@@ -9,18 +9,17 @@
   vars:
     caddy_sites:
       - domain: example.com
-        tls_insecure: false
         routes:
           - path: ''
             reverse_proxy_destination: 192.168.50.2
-            allowlist:
-              - 8.8.8.8/32
         redirects:
           - source: ''
             target: /
           - source: '/about-us'
             target: '/about'
             code: 401
+        allowlist:
+          - 8.8.8.8/32
         additional_forwarding_ports:
           - '8080'
           - '1337'
@@ -34,10 +33,8 @@
           - path: '/public/*'
             ignore_allowlist: true
             reverse_proxy_destination: 192.168.50.3
-            allowlist:
-              - 8.8.8.8/32
           - path: '/protected/*'
             strip_prefix: true
             reverse_proxy_destination: 192.168.50.4
-            allowlist:
-              - 8.8.8.8/32
+        allowlist:
+          - 8.8.8.8/32
diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
@@ -5,17 +5,15 @@
 
 {% for site in caddy_sites %}
 {{ site.domain }} {
-  {% for route in site.routes %}
-  {%- if route.allowlist is defined%}
-  @allowlist{{loop.index}} {
-    remote_ip {% for ip in route.allowlist %} {{ ip }}{% endfor %}
+  {%- if site.allowlist is defined %}
+  @allowlist {
+    remote_ip {% for ip in site.allowlist %} {{ ip }}{% endfor %}
   }
 
-  @not_allowlist{{loop.index}} {
-    not remote_ip {% for ip in route.allowlist %} {{ ip }}{% endfor %}
+  @not_allowlist {
+    not remote_ip {% for ip in site.allowlist %} {{ ip }}{% endfor %}
   }
   {% endif %}
-  {% endfor %}
 
   {%- if site.additional_template_path is defined %}
   {% include site.additional_template_path %}
@@ -33,19 +31,11 @@
   {%- else %}
   handle {{ route.path }} {
   {%- endif %}
-    {%- if route.allowlist is defined and not (route.ignore_allowlist| default(false)) %}
-    reverse_proxy @allowlist{{loop.index}} {{ route.reverse_proxy_destination }}{%- if site.tls_insecure%} {
-      transport http {
-          tls_insecure_skip_verify
-      }
-    }{%- endif %}
-    respond @not_allowlist{{loop.index}} 404
+    {%- if site.allowlist is defined and not (route.ignore_allowlist| default(false)) %}
+    reverse_proxy @allowlist {{ route.reverse_proxy_destination }}
+    respond @not_allowlist 404
     {%- else %}
-    reverse_proxy {{ route.reverse_proxy_destination }}{%- if site.tls_insecure%} {
-      transport http {
-          tls_insecure_skip_verify
-      }
-    }{%- endif %}
+    reverse_proxy {{ route.reverse_proxy_destination }}
     {%- endif %}
   }
   {%- endfor %}